Chinese Hackers Infiltrate US Treasury Systems in Significant Cyber Breach

The US Treasury Department has confirmed that Chinese hackers successfully breached its systems, remotely accessing workstations and unclassified documents through a compromised cloud-based service provided by BeyondTrust.

In a statement released Monday, the Treasury labeled the breach as a “major cybersecurity incident.” However, the department has withheld specific details regarding the number of compromised workstations or the nature of the unclassified documents accessed.

The breach came to light on December 8th, when BeyondTrust informed the Treasury about a security lapse involving a critical key used to safeguard its cloud-based technical support service. This service, utilized by the Treasury Departmental Offices (DO), was exploited by threat actors to bypass security protocols.

“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” explained Aditi Hardikar, Assistant Secretary for Management at the U.S. Department of the Treasury, in a letter to lawmakers.

Authorities have attributed the breach to a state-sponsored Chinese Advanced Persistent Threat (APT) group.

“Treasury has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence Community, and third-party forensic investigators to fully characterize the incident and determine its overall impact,” Hardikar added. “CISA was engaged immediately upon Treasury’s knowledge of the attack, and the remaining governing bodies were contacted as soon as the scope of the cyber attack became evident.”

To mitigate further risks, the compromised service has been taken offline. The department has stated that there is currently no indication of ongoing access to its systems by the attackers.

The incident coincides with BeyondTrust’s disclosure of a critical vulnerability (CVE-2024-12356) in its Privileged Remote Access (PRA) and Remote Support (RS) products. On December 5th, 2024, BeyondTrust discovered that an API key for its Remote Support SaaS platform had been compromised. The company acted swiftly, revoking the key, notifying affected clients, and offering alternative support instances.

The Treasury breach follows closely on the heels of a broader Chinese cyberespionage campaign, referred to as “Salt Typhoon.” This campaign has reportedly enabled Chinese operatives to intercept private communications, including text messages and phone calls, from an unknown number of US citizens. A senior White House official recently confirmed that this extensive attack has impacted nine telecommunications companies.

The Treasury’s incident underscores growing concerns over the vulnerability of US systems to state-sponsored cyber threats, particularly those originating from China.